CISSP CIB

1. Operations Security

1.1. Understand security operations concepts

1.1.1. Need-to-know/least privilege

1.1.2. Separation of duties and responsibilities

1.1.3. Monitor special privileges

1.1.4. Job rotation

1.1.5. Marking, handling, storing and destroying of sensitive information

1.1.6. Record retention

1.2. Employ resource protection

1.2.1. Media management

1.2.2. Asset management

1.3. Implement and support patch and vulnerability management

1.4. Implement preventative measures against attacks

1.5. Understand change and configuration management

1.6. Understand system resilience and fault tolerance requirements

1.7. Manage incident response

1.7.1. Detection

1.7.2. Response

1.7.3. Reporting

1.7.4. Recovery

1.7.5. Remediation and review

2. Cryptography

2.1. Understand the application and use of cryptography

2.1.1. Data at rest (e.g., Hard Drive)

2.1.2. Data in transit (e.g., On the wire)

2.2. Understand the cryptographic life cycle (e.g., cryptographic limitations, algorithm/protocol governance)

2.3. Understand encryption concepts

2.3.1. Foundational concepts

2.3.1.1. Plaintext

2.3.1.2. Ciphertext

2.3.1.3. Encrypting

2.3.1.4. Hashing

2.3.1.5. Substitution Ciphers

2.3.1.5.1. Monoalphabetic

2.3.1.5.2. Polyalphabetic

2.3.1.6. Transposition Ciphers

2.3.1.7. Stream Cipher

2.3.1.8. Block Cipher

2.3.1.8.1. Electronic Code Book (ECB)

2.3.1.8.2. Cipher Block Chaining (CBC)

2.3.1.8.3. Cipher FeedBack (CFB)

2.3.1.8.4. Output FeedBack (OFB)

2.3.1.8.5. Counter (CTR)

2.3.1.9. Initialization Vector (IV)

2.3.2. Symmetric cryptography

2.3.2.1. Data Encryption Standard (DES)

2.3.2.2. Triple DES

2.3.2.3. Advanced Encryption Standard (AES)

2.3.2.4. Rivest Cipher, Ron's Code (RC)

2.3.2.5. Blowfish

2.3.2.6. Twofish

2.3.2.7. CAST5

2.3.2.8. IDEA

2.3.3. Asymmetric cryptography

2.3.3.1. Rivest, Shamir & Aldeman (RSA)

2.3.3.2. Diffie-Hellman (DH)

2.3.3.3. El Gamal

2.3.3.4. Merkle-Hellman (Trapdoor) Knapsack

2.3.4. Hybrid cryptography

2.3.5. Message digests

2.3.6. Hashing

2.3.6.1. MD (MD2, MD4, MD5)

2.3.6.2. SHA (0, 1, 2)

2.3.6.3. Hashed Message Authentication Code (HMAC)

2.4. Understand key management processes

2.4.1. Creation/distribution

2.4.2. Storage/destruction

2.4.3. Recovery

2.4.4. Key escrow

2.5. Understand digital signatures

2.5.1. Digital Signature Standard (DSS)

2.5.1.1. SHA-1 Hash

2.5.1.2. Digital Signature Algorithm (DSA) Encryption

2.6. Understand non-repudiation

2.7. Understand methods of cryptanalytic attacks

2.7.1. Chosen plain-text

2.7.2. Social engineering for key discovery

2.7.3. Brute Force (e.g., rainbow tables, specialized/scalable architecture)

2.7.3.1. Work Factor

2.7.4. Cipher-text only

2.7.5. Known plaintext

2.7.6. Frequency analysis

2.7.7. Chosen cipher-text

2.7.8. Implementation attacks

2.7.8.1. Side Channel

2.7.8.2. Fault Analysis

2.7.8.3. Probing Attacks

2.8. Use cryptography to maintain network security

2.9. Use cryptography to maintain application security

2.10. Understand Public Key Infrastructure (PKI)

2.10.1. Certificate Revocation List (CRL)

2.10.2. Online Certificate Status Protocol (OCSP)

2.11. Understand certificate related issues

2.12. Understand information hiding alternatives (e.g., steganography, watermarking)

3. Access Control

3.1. Control access by applying the following concepts/methodologies/techniques

3.1.1. Policies

3.1.2. Types of controls (preventive, detective, corrective)

3.1.2.1. Before Event

3.1.2.1.1. Directive

3.1.2.1.2. Preventive

3.1.2.1.3. Deterrent

3.1.2.2. During Event

3.1.2.2.1. Detective

3.1.2.3. After Event

3.1.2.3.1. Compensating

3.1.2.3.2. Recovery

3.1.2.3.3. Corrective

3.1.3. Techniques (non-discretionary, discretionary and mandatory)

3.1.4. Identification and Authentication

3.1.4.1. Factors

3.1.4.1.1. Type 1: Know

3.1.4.1.2. Type 2: Have

3.1.4.1.3. Type 3: Are

3.1.4.1.4. False Rejection Rate (FRR)

3.1.4.1.5. False Acceptance Rate (FAR)

3.1.4.1.6. Crossover Error Rate (CER)

3.1.4.2. Systems

3.1.4.2.1. Single Sign On (SSO)

3.1.4.2.2. Directory Services

3.1.4.2.3. Centralized access control

3.1.4.2.4. Remote Access Service (RAS)

3.1.5. Decentralized/distributed access control techniques

3.1.6. Authorization mechanisms

3.1.6.1. Authorization

3.1.6.1.1. Privileges

3.1.6.1.2. Access

3.1.6.1.3. Rights

3.1.6.2. Discretionary Access Control (DAC)

3.1.6.3. Access Control List (ACL)

3.1.6.4. Mandatory Access Control (MAC)

3.1.6.4.1. Security Labels

3.1.6.5. Role-based Access Control (RBAC)

3.1.6.6. Rule-based Access Control

3.1.7. Logging and monitoring

3.1.7.1. Clipping Level

3.1.7.2. Intrusion Detection (IDS)

3.1.7.2.1. Signature Based

3.1.7.2.2. Anomaly Based

3.1.7.3. Intrusion Protection (IPS)

3.1.7.4. NIPS/HIPS

3.2. Understand access control attacks

3.2.1. Threat modeling

3.2.2. Asset valuation

3.2.3. Vulnerability analysis

3.2.4. Access aggregation

3.3. Assess effectiveness of access controls

3.3.1. User entitlement

3.3.2. Access review & audit

3.4. Identity and access provisioning lifecycle (provisioning, review, revocation)

4. Security Architecture & Design

4.1. Understand the fundamental concepts of security models (e.g., Confidentiality, Integrity, and Multi-level Models)

4.1.1. Multilevel Models

4.1.1.1. Lattice-based

4.1.1.2. Matrix-based

4.1.1.3. Noninterference

4.1.2. Security Models

4.1.2.1. Bell-LaPadula (BLP)

4.1.2.1.1. Write Up Read Down

4.1.2.1.2. Confidentiality Focus

4.1.2.2. Biba Integrity Model

4.1.2.2.1. Write Down Read Up

4.1.2.2.2. Integrity Focus

4.1.2.3. Lipner Model

4.1.2.3.1. Mix of BLP & Biba

4.1.2.4. Clark-Wilson Integrity Model

4.1.2.4.1. Information Integrity Focus

4.1.2.5. Brewer and Nash (Chinese Wall) Model

4.1.2.5.1. Separation to avoid conflict of interests in company

4.1.2.6. Graham-Denning

4.1.2.6.1. Assigning Rights Focus

4.1.2.6.2. Subject & Object Creation

4.1.2.7. Harrison-Ruzzon-Ullman

4.1.2.7.1. Integrity of Access Rights

4.1.2.7.2. Extension of Graham-Denning

4.1.3. Architecture Frameworks

4.1.3.1. Zachman Framework

4.1.3.1.1. Enterprise Architecture Focus

4.1.3.2. Sherwood Applied Business Security Architecture (SABSA)

4.1.3.2.1. Enterprise Security Architecture Focus

4.1.3.3. The Open Group Architecture Framework (TOGAF)

4.1.3.3.1. Iterative approach relying heavily on modularization, standardization & proven tech.

4.1.3.4. Information Technology Infrastructure Library (ITIL)

4.1.3.4.1. Aligns IT to Business Needs

4.2. Understand the components of information systems security evaluation models

4.2.1. Product evaluation models (common criteria)

4.2.2. State Machine Model

4.2.3. Flow Model

4.3. Understand security capabilities of information systems (memory protection, virtualization, trusted platform module)

4.3.1. CPU

4.3.1.1. Processor Function (CPU)

4.3.1.1.1. Fetch

4.3.1.1.2. Decode

4.3.1.1.3. Execute

4.3.1.1.4. Store

4.3.1.2. Multitasking

4.3.1.2.1. Time windows to split up tasks

4.3.1.3. Protected Mode (Ring 3) User Mode

4.3.1.4. Privileged Mode (Ring 0) Kernel Mode

4.3.1.5. Multiprocessing

4.3.1.5.1. Many CPUs in a System

4.3.1.6. Multithreading

4.3.1.6.1. Applications usage of CPU times

4.3.2. Memory

4.3.2.1. Primary

4.3.2.1.1. CPU Registers

4.3.2.1.2. L1 & L2 Cache

4.3.2.1.3. Main Memory

4.3.2.2. Secondary

4.3.2.2.1. Disk Drives

4.3.2.2.2. Optical Media

4.3.2.2.3. USB Drives

4.3.2.2.4. Tape Drives

4.3.2.2.5. External NAS/SAN

4.3.2.3. Virtual Memory

4.3.2.3.1. Uses Secondary to emulate Primary

4.3.2.4. Firmware

4.3.2.4.1. Embedded hardware ROM (BIOS)

4.3.3. Storage

4.3.3.1. Storage Area Network (SAN)

4.3.3.1.1. Fibre Channel

4.3.3.1.2. iSCSI (IP Based)

4.3.3.1.3. Block Level

4.3.3.2. Network Attached Storage (NAS)

4.3.3.2.1. File Level Access

4.3.3.2.2. Multi protocol support

4.3.3.3. Redundant Array of Independent Disk (RAID)

4.3.3.3.1. RAID 0

4.3.3.3.2. RAID 1

4.3.3.3.3. RAID 4

4.3.3.3.4. RAID 5

4.3.3.3.5. RAID 6

4.3.3.3.6. RAID 0+1

4.3.3.3.7. RAID 10

4.3.3.3.8. Striping = Performances

4.3.3.3.9. Mirroring = Fault Tolerance

4.3.4. Virtualization

4.3.4.1. Gateway between OS & Hardware

4.3.4.2. Cost effeciency

4.3.4.3. Operational efficiencies

4.3.4.4. Resource efficiencies

4.3.5. Cloud Computing

4.3.5.1. Platform as a Service (PaaS)

4.3.5.2. Software as a Service (SaaS)

4.3.5.3. Infrastructure as a Service (IaaS)

4.3.5.4. Deployment Models

4.3.5.4.1. Private

4.3.5.4.2. Public

4.3.5.4.3. Community

4.3.5.4.4. Hybrid

4.3.6. Trusted Computing Base (TCB)

4.3.6.1. Process Activation

4.3.6.2. Domain switching (Changing security Levels)

4.3.6.3. Memory Protection

4.3.6.4. I/O Operations

4.3.7. Reference Monitor

4.3.7.1. Manages access controls between subject & object

4.3.8. Certification & Accreditation

4.3.8.1. Trusted Computer System Evaluation Criteria (TCSEC)(Orange Book)

4.3.8.1.1. Classes (A,B.C.D)

4.3.8.1.2. Criteria (A1, B3, B2, B1, C2, C1, D

4.3.8.2. Information Technology Security Evaluation Criteria (ITSEC)

4.3.8.2.1. Assurance

4.3.8.2.2. Functionality

4.3.8.3. Common Criteria (ISO/IEC 15408)

4.3.8.3.1. Protection Profile (PP)

4.3.8.3.2. Target of Evaluation (TOE)

4.3.8.3.3. Security Target (ST)

4.3.8.3.4. Evaluation Assurance Levels (EAL)

4.3.9. Database Security

4.3.9.1. Hierarchiacal DataBase Management System (DBMS)

4.3.9.1.1. Parent <> Child Hierarchy/Relationship

4.3.9.1.2. Single Tree

4.3.9.1.3. Single Table

4.3.9.2. Network DBMS

4.3.9.2.1. Stored as related objects

4.3.9.2.2. Many to many relationships

4.3.9.3. Relational DBMS

4.3.9.3.1. Structured in tables for relationships

4.3.9.3.2. Most Common (Oracle, Sybase, MySQL, MSSQL)

4.3.9.4. Terminology

4.3.9.4.1. Structured Query Language (SQL)

4.3.9.4.2. Open Database Connectivity (ODBC)

4.3.9.4.3. Extensible Markup Language (XML)

4.3.9.4.4. Object Linking and Embedding (OLE)

4.3.9.4.5. Active X Data Object (ADO)

4.3.9.4.6. Polyinstantiation

4.3.9.4.7. Normalization

4.3.9.4.8. Views

4.3.9.5. Data warehouse

4.3.9.5.1. DB <> Warehouse collection

4.3.9.6. Data mining

4.3.9.6.1. User <> Warehouse formatting

4.4. Understand the vulnerabilities of security architectures

4.4.1. System

4.4.1.1. Emanations

4.4.1.1.1. TEMPEST

4.4.1.2. State Attacks

4.4.1.2.1. Time Of Check, Time Of Use (TOCTOU)

4.4.1.2.2. Vulnerabilities of transitions between states

4.4.1.3. Covert Channels

4.4.1.3.1. Maintenance communications

4.4.2. Technology and process integration (single point of failure, service oriented architecture)

5. Software Development Security

5.1. Understand and apply security in the software development life cycle

5.1.1. Development Life Cycle

5.1.1.1. Waterfall

5.1.1.1.1. Structured

5.1.1.1.2. Clean room

5.1.1.1.3. Spiral

5.1.1.2. Iterative

5.1.1.2.1. Rapid Application Development (RAD)

5.1.1.2.2. Joint Applications Development (JAD)

5.1.1.2.3. Dynamic Systems Development Model (DSDM)

5.1.1.3. Agile

5.1.1.3.1. eXtreme Programming (XP)

5.1.1.3.2. Scrum

5.1.1.4. Open Source

5.1.1.5. Computer Aided Software Engineering (CASE)

5.1.1.6. End-user Developlemnt

5.1.1.6.1. Tools & Dev belong to anyone

5.1.1.7. Object-Oriented

5.1.1.7.1. Code & Data reusable

5.1.2. Maturity models

5.1.3. Operation and maintenance

5.1.4. Change management

5.2. Understand the environment and security controls

5.2.1. Security of the software environment

5.2.1.1. Systems

5.2.1.1.1. Distributed Computing Environment (DCE)

5.2.1.1.2. OnLine Transaction Processing (OLTP)

5.2.1.1.3. Common Object Request Broker Architecture (CORBA)

5.2.1.1.4. Knowledge Management

5.2.1.1.5. Expert Systems

5.2.2. Security issues of programming languages

5.2.2.1. Compiled

5.2.2.1.1. BASIC

5.2.2.1.2. COBOL

5.2.2.1.3. Java

5.2.2.1.4. C

5.2.2.1.5. C#

5.2.2.1.6. C++

5.2.2.1.7. Ada

5.2.2.1.8. Visual Basic

5.2.2.2. Interpreted

5.2.2.2.1. Perl

5.2.2.2.2. Python

5.2.2.2.3. JavaScript

5.2.3. Security issues in source code (e.g., buffer overflow, escalation of privilege, backdoor)

5.2.3.1. Software Testing Methods

5.2.3.1.1. White box

5.2.3.1.2. Black box

5.2.3.1.3. Gray box

5.2.3.2. Input Validation

5.2.3.2.1. SQL Injection

5.2.3.2.2. Buffer under/over runs

5.2.3.3. Trapdoor/Backdoor

5.2.3.4. Misconfigurations

5.2.3.5. Covert Channels

5.2.3.6. Object Reuse

5.2.3.7. Cross-Site Scripting (XSS)

5.2.3.8. Cross-Site Request Forgery (CSRF)

5.2.3.9. Viruses

5.2.3.9.1. File Infectors

5.2.3.9.2. Boot Sector

5.2.3.9.3. E-Mail

5.2.3.9.4. Macro

5.2.3.9.5. Polymorphic

5.2.3.9.6. Multipartite

5.2.3.10. Malware

5.2.3.10.1. Worms

5.2.3.10.2. Trojan horse

5.2.3.10.3. Spyware

5.2.3.10.4. Logic Bomb

5.2.3.10.5. Rootkit

5.2.3.10.6. Salami attack

5.2.3.10.7. Data diddling

5.2.4. Configuration management

5.3. Assess the effectiveness of software security

5.3.1. Certification and accreditation (i.e., system authorization)

5.3.1.1. Building Security In Maturity Model (BSIMM)

5.3.1.1.1. Software Security Framework (SSF)

5.3.1.2. Software Engineering Institute (SEI) Capability Maturity Model (CMM)

5.3.1.2.1. 1. Initial

5.3.1.2.2. 2. Repeatable

5.3.1.2.3. 3. Defined

5.3.1.2.4. 4. Managed

5.3.1.2.5. 5. Optimizing

5.3.1.3. Open Web Application Security Project (OWASP)

5.3.1.4. Web Application Security Consortium (WASC)

5.3.2. Auditing and logging

5.3.3. Risk analysis and mitigation

6. Legal, Regulations, Investigations & Compliance

6.1. Understand legal issues that pertain to information security internationally

6.1.1. Computer crime

6.1.1.1. Any illegal action where data on a computer is accessed without permission.

6.1.1.2. Identity theft

6.1.1.3. Investment fraud

6.1.1.4. Employment faud

6.1.2. Intellectual property

6.1.2.1. Patent

6.1.2.1.1. Strongest Form

6.1.2.2. Trademark

6.1.2.2.1. Associated with words, symbols, colors

6.1.2.3. Copyright

6.1.2.4. Trade secrets

6.1.2.4.1. Must provide some benefit

6.1.2.4.2. Reasonable protection must be applied

6.1.2.5. Licensing

6.1.2.5.1. Software categories

6.1.2.5.2. Master Agreements

6.1.2.5.3. End-User Licensing Agreements (EULA)

6.1.3. Import/Export

6.1.4. Trans-border data flow

6.1.4.1. World Intellectual Property Organization (WIPO)

6.1.4.2. Organization for Economic Cooperation and Development (OECD)

6.1.4.3. Wassenaar Arrangement

6.1.4.4. Council of Europe Convention of Cybercrime

6.1.5. Privacy

6.1.5.1. Personally Identifiable Information (PII)

6.1.5.1.1. Varies based on organization & country

6.1.5.2. Payment Card Industry Data Security Standard (PCI DSS)

6.1.5.3. US Health Insurance Portability and Accountability Act (HIPAA)

6.1.5.4. Personal Information Protection and Electronic Documents Act (PIPEDA)

6.1.5.5. Federal Information Security Management Act (FISMA)

6.1.5.6. UK Data Protection Act (DPA)

6.1.5.7. European Union (EU) Data Protection Directive

6.2. Understand professional ethics

6.2.1. (ISC)² Code of Professional Ethics

6.2.1.1. CISSP Expectation

6.2.1.1.1. Set the example

6.2.1.1.2. Encourage adoption

6.2.2. Support organization's code of ethics

6.2.2.1. RFC 1807

6.2.2.1.1. Internet Architecture Board (IAB)

6.2.3. Formal Ethic Theory

6.2.3.1. Teleology (Utilitarian)

6.2.3.2. Deontology (Obligation)

6.3. Understand and support investigations

6.3.1. Policy, roles and responsibilities (e.g., rules of engagement, authorization, scope)

6.3.2. Incident handling and response

6.3.2.1. Five Stages

6.3.2.1.1. 1. Triage

6.3.2.1.2. 2. Investigate

6.3.2.1.3. 3. Containment

6.3.2.1.4. 4. Analysis & Tracking

6.3.2.1.5. 5. Recovery

6.3.3. Evidence collection and handling

6.3.3.1. Aspects of Investigations

6.3.3.1.1. Acquisition

6.3.3.1.2. Authentication

6.3.3.1.3. Analysis

6.3.3.2. Suspect Identification

6.3.3.2.1. Means, Opportunity, Motive (MOM)

6.3.3.3. Locard's Principle of Exchange

6.3.3.3.1. Criminals leave something behind

6.3.3.4. Digital Forensics

6.3.3.4.1. Indentification

6.3.3.4.2. Collect & Preserve

6.3.3.4.3. Examine

6.3.3.4.4. Present Findings

6.3.4. Reporting and documenting

6.4. Understand forensic procedures

6.4.1. Media analysis

6.4.2. Network analysis

6.4.3. Software analysis

6.4.4. Hardware/embedded device analysis

6.4.5. Types of Evidence

6.4.5.1. Direct

6.4.5.1.1. Provided by witness

6.4.5.2. Real

6.4.5.2.1. Something physical

6.4.5.3. Documentary

6.4.5.3.1. Contracts & Legal Papers

6.4.5.4. Demonstrative

6.4.5.4.1. Expert Testimony

6.4.5.5. Hearsay

6.4.5.5.1. Second Hand

6.4.5.6. Criteria Required

6.4.5.6.1. Authentic

6.4.5.6.2. Accurate

6.4.5.6.3. Complete

6.4.5.6.4. Convincing

6.4.5.6.5. Admissible

6.5. Understand compliance requirements and procedures

6.5.1. Regulatory environment

6.5.1.1. HIPAA

6.5.1.2. SOX

6.5.1.3. US Gramm-Leech-Bliley Financial Services Modernization Act (GLBA)

6.5.1.4. BASEL II

6.5.1.5. PCI DSS

6.5.2. Audits

6.5.3. Reporting

6.6. Ensure security in contractual agreements and procurement processes (e.g., cloud computing, outsourcing, vendor governance)

6.7. Legal Systems

6.7.1. Common

6.7.1.1. Components

6.7.1.1.1. Legal Precedent

6.7.1.1.2. Customs

6.7.1.1.3. Societal Tradition

6.7.1.1.4. Adversarial Litigation

6.7.1.1.5. Reasonable Doubt

6.7.1.2. Criminal

6.7.1.2.1. Loss of freedom

6.7.1.3. Tort

6.7.1.3.1. Deals with Civil Matters

6.7.1.4. Administrative

6.7.1.4.1. Regulations & Control of power

6.7.2. Civil

6.7.2.1. Relies on legislation & written rules

6.7.2.2. Code-based

6.7.2.3. Napoleonic

6.7.3. Religious

6.7.4. Customary

6.7.5. Mixed

6.7.6. Maritime

6.8. Legal Concepts

6.8.1. Jusrisdiction

6.8.2. Sovereignty

6.8.3. Liability

6.8.4. Negligence

6.8.5. Due Care

6.8.6. Due Diligence

6.8.7. Obligation

7. Information Security Governance & Risk Management

7.1. Understand and align security function to goals, mission and objectives of the organization

7.2. Understand and apply security governance

7.2.1. Organizational processes

7.2.1.1. Acquisitions

7.2.1.2. Divestitures

7.2.1.3. Governance Committees

7.2.2. Security roles and responsibilities

7.2.2.1. Data Owner

7.2.2.1.1. Protection & Classification of data

7.2.2.2. Data Custodian

7.2.2.2.1. Implements & Maintains Controls

7.2.3. Legislative and regulatory compliance

7.2.4. Privacy requirements compliance

7.2.5. Control frameworks

7.2.6. Due care

7.2.7. Due diligence

7.3. Understand and apply concepts of confidentiality, integrity and availability

7.4. Develop and implement security policy

7.4.1. Security policies

7.4.1.1. Strategic

7.4.1.1.1. High Level

7.4.1.1.2. Broad

7.4.1.1.3. Long-range

7.4.1.1.4. Corporate Policy

7.4.1.2. Tactical

7.4.1.2.1. Mid-level focus

7.4.1.2.2. Impacts entire organization

7.4.1.2.3. Standards

7.4.1.2.4. Baselines

7.4.1.2.5. Guidelines established

7.4.1.3. Operational

7.4.1.3.1. Affects day to day

7.4.1.3.2. Processes

7.4.1.3.3. Procedures

7.4.1.4. Example

7.4.1.4.1. ISO 27001 (Policy focus)

7.4.1.4.2. ISO 27002 (Procedure focus)

7.4.2. Standards/baselines

7.4.2.1. Set basis for common practice

7.4.2.2. Can come from industry, orgs or Gov't.

7.4.3. Procedures

7.4.3.1. Required minimum levels

7.4.4. Guidelines

7.4.4.1. Recommendations

7.4.5. Documentation

7.4.5.1. Step-by-step descriptions

7.5. Manage the information life cycle (e.g., classification, categorization, and ownership)

7.5.1. Private

7.5.1.1. Confidential

7.5.1.2. Private

7.5.1.3. Sensitive

7.5.1.4. Public

7.5.2. US Government

7.5.2.1. Top Secret

7.5.2.2. Secret

7.5.2.3. Confidential

7.5.2.4. Sensitive But Unclassified (SBU)

7.5.2.5. Unclassified

7.6. Manage third-party governance

7.6.1. On-site assessment

7.6.2. Document Exchange & Review

7.6.3. Process & Policy Review

7.7. Understand and apply risk management concepts

7.7.1. Identify threats and vulnerabilities

7.7.1.1. Cause

7.7.1.1.1. Man-made

7.7.1.1.2. Natural

7.7.1.2. Time

7.7.1.2.1. Speed of Onset

7.7.1.2.2. Speed of Recession

7.7.1.3. Destructiveness

7.7.1.3.1. Physical

7.7.1.3.2. Logical

7.7.1.3.3. Logical

7.7.1.3.4. Logical

7.7.1.3.5. Logical

7.7.1.4. Duration

7.7.1.4.1. Permanent

7.7.1.4.2. Temporary

7.7.1.4.3. Permanent

7.7.1.4.4. Permanent

7.7.1.4.5. Permanent

7.7.1.5. Extent

7.7.1.5.1. Size/Scope

7.7.1.6. Directness

7.7.1.6.1. Direct (Fire)

7.7.1.6.2. Indirect (Smoke)

7.7.2. Risk assessment/analysis

7.7.2.1. Qualitative

7.7.2.1.1. Non-Numerical (Low, Medium, High)

7.7.2.1.2. Dependent of judgment, intuition & experience

7.7.2.1.3. Techniques

7.7.2.2. Quantitative

7.7.2.2.1. Based on Numerical values

7.7.2.2.2. Values Remain Constant

7.7.2.2.3. Methods

7.7.2.2.4. Techniques

7.7.2.3. Hybrid

7.7.2.3.1. Numerical only relevant within assessment

7.7.3. Risk Handling

7.7.3.1. Mitigation/Reduction

7.7.3.1.1. Take efffort to prevent loss

7.7.3.1.2. Example: Buy Snow Tires

7.7.3.2. Transfer

7.7.3.2.1. Insurance

7.7.3.2.2. Outsource

7.7.3.2.3. Example: Take Taxi

7.7.3.3. Avoid

7.7.3.3.1. Example: Don't Drive

7.7.3.4. Accept

7.7.3.4.1. Example: Drive Anyway

7.7.4. Countermeasure selection

7.7.5. Tangible and intangible asset valuation

7.7.6. Publications

7.7.6.1. NIST SP 800-30

7.7.6.1.1. Defines steps in risk assessment

7.8. Manage personnel security

7.8.1. Employment candidate screening

7.8.1.1. Reference Checks

7.8.1.2. Education

7.8.1.3. Verification

7.8.2. Employment agreements and policies

7.8.3. Employee termination processes

7.8.4. Vendor, consultant and contractor controls

7.9. Develop and manage security education, training and awareness

7.10. Manage the Security Function

7.10.1. Budget

7.10.2. Metrics

7.10.3. Resources

7.10.4. Develop and implement information security strategies

7.10.5. Assess the completeness and effectiveness of the security program

7.10.5.1. Awareness

7.10.5.2. Training

7.10.5.3. Education

8. Business Continuity & Disaster Recovery Planning

8.1. Understand business continuity requirements

8.1.1. Develop and document project scope and plan

8.1.1.1. Obtain leadership buy-in

8.1.2. Standards

8.1.2.1. BS 25999

8.1.2.2. BS 22301

8.1.2.3. ISO 27001 Annex A

8.1.2.4. NIST SP 800-34

8.2. Conduct business impact analysis

8.2.1. Identify and prioritize critical business functions

8.2.2. Determine maximum tolerable downtime and other criteria

8.2.2.1. Recovery Time Objective (RTO)

8.2.2.2. Mean Time To Recovery (MTTR)

8.2.2.3. Mean Time Between Failures (MTBF)

8.2.2.4. Maximum Tolerable Period of Downtime (MTPD)

8.2.2.5. Maximum Tolerable Downtime (MTD)

8.2.3. Assess exposure to outages

8.2.3.1. Local

8.2.3.2. Regional

8.2.3.3. Global

8.2.4. Define recovery objectives

8.2.4.1. Recovery Point Objectives (RPO)

8.2.4.2. Backup Strategies

8.2.4.2.1. Cold

8.2.4.2.2. Hot

8.2.4.2.3. Full

8.2.4.2.4. Differential

8.2.4.2.5. Incremental

8.3. Develop a recovery strategy

8.3.1. Implement a backup storage strategy

8.3.1.1. Offline Storage

8.3.1.2. Electronic Vaulting

8.3.1.3. Tape Rotation

8.3.2. Recovery site strategies

8.3.2.1. Dual Data Center

8.3.2.2. Hot

8.3.2.3. Warm

8.3.2.4. Cold

8.3.2.5. Mobile

8.4. Understand disaster recovery process

8.4.1. Response

8.4.2. Personnel

8.4.3. Communications

8.4.4. Assessment

8.4.5. Restoration

8.4.6. Provide training

8.5. Exercise, assess and maintain the plan

8.5.1. Version Control

8.5.1.1. Update plans annually at a minimum

8.5.2. Distribution

8.5.3. Assessment Types

8.5.3.1. Full Interruption

8.5.3.1.1. Shutdown & Relocate

8.5.3.2. Parallel Testing

8.5.3.2.1. Recreation of Work

8.5.3.3. Simulation

8.5.3.3.1. Functional Test/War Game

8.5.3.4. Walk Through

8.5.3.4.1. Tabletop

8.5.3.5. Desk Check

8.5.3.5.1. Review Plan

9. Telecommunications & Network Security

9.1. Understand secure network architecture and design

9.1.1. OSI and TCP/IP models

9.1.1.1. Open Systems Interconnect (OSI) Model

9.1.1.1.1. Layer 7: Application

9.1.1.1.2. Layer 6: Presentation

9.1.1.1.3. Layer 5: Session

9.1.1.1.4. Layer 4: Transport

9.1.1.1.5. Layer 3: Network

9.1.1.1.6. Layer 2: Data Link

9.1.1.1.7. Layer 1: Physical

9.1.1.2. TCP/IP

9.1.1.2.1. Application

9.1.1.2.2. Transport

9.1.1.2.3. Internetwork

9.1.1.2.4. Network Access

9.1.2. IP networking

9.1.2.1. VLANs

9.1.2.2. Encapsulation

9.1.2.2.1. Adds header information to payload

9.1.2.3. De-encapsulation

9.1.2.3.1. Removes header information from payload

9.1.2.4. Routing Protocols

9.1.2.4.1. RIP

9.1.2.4.2. OSPF

9.1.2.4.3. BGP

9.1.3. Implications of multi-layer protocols

9.1.3.1. Supervisory Control And Data Acquisition (SCADA)

9.1.3.1.1. Modbus

9.1.3.1.2. Fieldbus

9.1.3.1.3. Distributed Network Protocol (DNP)

9.2. Securing network components

9.2.1. Hardware

9.2.1.1. Modems

9.2.1.2. Switches

9.2.1.3. Routers

9.2.1.4. Wireless Access Points

9.2.2. Transmission media

9.2.2.1. Wired

9.2.2.2. Wireless

9.2.2.3. Fiber

9.2.3. Network access control devices

9.2.3.1. Firewalls

9.2.3.2. Proxies

9.2.4. End-point security

9.3. Establish secure communication channels

9.3.1. Voice

9.3.1.1. POTS

9.3.1.2. PBX

9.3.1.3. VoIP

9.3.2. Multimedia collaboration

9.3.2.1. Remote Meetings

9.3.2.2. Instant Messaging

9.3.3. Remote access

9.3.3.1. Screen Scraping

9.3.3.2. Virtual Desktops

9.3.3.3. Telecommuting

9.3.3.4. VPN

9.3.3.4.1. Point to Point Tunnelling Protocol (PPTP)

9.3.3.4.2. Layer 2 Tunneling Protocol (L2TP)

9.3.4. Data communications

9.3.4.1. SSL

9.3.4.2. TLS

9.3.4.3. MultiProtocol Label Switching (MPLS)

9.3.4.3.1. QoS

9.3.4.3.2. Packet Switched

9.3.4.3.3. Segmentation

9.3.4.4. WAN

9.3.4.4.1. T1, T3

9.3.4.4.2. E1, E3

9.3.4.4.3. OC1, OC12

9.3.4.4.4. Asynchronous Transfer Mode (ATM)

9.3.4.4.5. Frame Relay

9.3.4.4.6. xDSL

9.3.4.4.7. Integrated Services Digital Network (ISDN)

9.3.4.5. IPSec

9.3.4.5.1. Authentication Header (AH)

9.3.4.5.2. Encapsulating Security Payload (ESP)

9.3.4.5.3. Security Association (SA)

9.4. Understand network attacks

9.4.1. DDoS

9.4.2. Spoofing

9.4.3. Host Based IDS (HIDS)

9.4.4. Network Based IDS (NIDS)

10. Physical (Environmental) Security

10.1. Understand site and facility design considerations

10.1.1. Crime Prevention Through Environmental Design (CPTED)

10.1.1.1. Physical Layout

10.1.1.2. Monitoring

10.1.1.3. Hardening

10.1.2. Power Faults

10.1.2.1. Blackout

10.1.2.2. Brownout

10.1.2.3. Sag

10.1.2.4. Fault

10.1.2.5. Spike

10.1.2.6. Surge

10.1.2.7. Noise

10.1.2.8. Transient

10.1.2.9. In-Rush

10.2. Support the implementation and operation of perimeter security (e.g., physical access control and monitoring, audit trails/access logs)

10.2.1. Fences

10.2.1.1. Heights

10.2.1.1.1. 1 Meter

10.2.1.1.2. 2 Meters

10.2.1.1.3. 2.5 Meters

10.2.1.2. Mesh Size

10.2.1.2.1. 1"

10.2.1.2.2. 2"

10.2.1.2.3. 3/8"

10.2.1.3. Guage (Smaller = Thicker)

10.2.1.3.1. 6

10.2.1.3.2. 9

10.2.1.3.3. 11

10.2.1.3.4. 12

10.2.2. Bollards

10.2.3. Natural

10.2.3.1. Trees

10.2.3.2. Berms

10.2.3.3. Gullies

10.2.4. Walls

10.2.5. Doors

10.2.5.1. Fail Safe

10.2.5.2. Fail Secure

10.2.5.3. Tailgating/Piggybacking

10.2.6. CCTV

10.2.6.1. 5 footcandles (fc) for proper crit areas

10.2.6.2. 2 fc for normal operations

10.2.7. Windows

10.2.7.1. Plate

10.2.7.2. Tempered

10.2.7.3. Acrylic Polycarbonate

10.2.7.4. Laminate

10.2.7.5. Embedded Wire

10.2.8. Lighting

10.2.8.1. Fluorescent

10.2.8.2. LED

10.2.8.3. Mercury Vapor

10.2.8.4. Sodium Vapor

10.2.8.5. Quartz

10.3. Support the implementation and operation of internal security

10.3.1. Escort Requirements

10.3.2. Visitor Control

10.3.3. Keys & Locks

10.3.3.1. Locks

10.3.3.1.1. Key

10.3.3.1.2. Combination

10.3.3.1.3. Biometric

10.3.3.1.4. Electronic

10.3.3.1.5. Shear Point

10.4. Support the implementation and operation of facilities security (e.g., technology convergence)

10.4.1. Communications and server rooms

10.4.2. Restricted and work area security

10.4.3. Data center security

10.4.3.1. Intrusion Detection

10.4.3.1.1. Active Infrared

10.4.3.1.2. Passive Infrared

10.4.4. Utilities and Heating, Ventilation and Air Conditioning (HVAC)considerations

10.4.4.1. Volume

10.4.4.1.1. Size of facility considerations

10.4.4.2. Humidity Levels

10.4.4.2.1. Equipment requirements

10.4.4.3. Temperature

10.4.4.3.1. Consistent

10.4.4.4. Quality

10.4.4.4.1. Dust & Contaminant Removal

10.4.5. Water issues

10.4.5.1. Leakage

10.4.5.2. Flooding

10.4.6. Fire

10.4.6.1. Prevention

10.4.6.2. Detection

10.4.6.3. Suppression

10.4.6.4. Requirements

10.4.6.4.1. Oxygen

10.4.6.4.2. Heat

10.4.6.4.3. Fuel

10.4.6.4.4. Oxygen

10.4.6.5. Types

10.4.6.5.1. Class A

10.4.6.5.2. Class B

10.4.6.5.3. Class C

10.4.6.5.4. Class D

10.4.6.5.5. Class K

10.4.6.5.6. Combustible, Fluids, Excite, Me, K?

10.5. Support the protection and securing of equipment

10.6. Understand personnel privacy and safety (e.g., duress, travel, monitoring)

10.7. Goals

10.7.1. Deter

10.7.1.1. Signs, Fences

10.7.2. Delay

10.7.2.1. Locks

10.7.3. Detect

10.7.3.1. Sensors, Cameras

10.7.4. Assess

10.7.4.1. Weather Emergency Process

10.7.5. Respond

10.7.5.1. Reaction Team

10.7.6. Recover

10.7.6.1. Data Restoration

10.7.7. Life, Health & Safety take precedence.